Advise is intended to provide developers with quick, accurate, open source vulnerability information as they are working on their projects. Our best practices for use of Advise are the following:
Use Advise to augment the existing use of the Unified Agent or other integration on the Repo/CI level by adding such integration to the IDE layer. This allows issues to be found even earlier in the SDLC lifecycle. You should always use Advise in addition to your other integrations as the Unified Agent or integrations on the Repo/CI level provide important information on licenses and allow you to view reports within the WhiteSource UI
Make sure that any Advise configuration has been reviewed and matches the configuration within your other integrations. This will ensure that the results remain consistent
Frequently Asked Questions:
1. Why are my results in Advise different than the results of my other WhiteSource scans?
The expectation for Advise is that the results should be the same across all WhiteSource scans. There are cases, however, where the results may be different. Below are the potential reasons why.
The Advise configuration does not match the configuration for your other scans
Advise has some limitations when compared to the Unified Agent. You can find more information on the limitations of Advise on the IDE you are using in the ‘Limitations’ section of the documents linked above
If your project’s dependencies are not included in a package manager, these dependencies will not be included in the Advise scan results (for example, source files)
2. What are the configuration options for Advise for IDEs?
In the IntelliJ Idea, Python, and WebStorm integrations you have the option to return vulnerabilities for direct dependencies only, or to show vulnerabilities associated with both direct and transitive dependencies
In the Visual Studio Code integration you have the option to include dev dependencies
3. What languages and package managers are supported by Advise for IDEs?
The Eclipse integration has support for Java projects with Maven and Gradle package managers
The IntelliJ Idea integration has support for Java, Kotlin, and Scala projects using Maven and supports Java projects using Gradle
The PyCharm integration has support for Pip, Pipenv, and Poetry projects
The Visual Studio integration has support for SDK-style projects based on .NET core 2.0 and above and non-SDK-style projects based on .NET
The Visual Studio Code integration has support for NPM and C#-based projects
The Visual Studio Code integration has the following limitations:
In certain circumstances where multiple scanned projects have the same vulnerable transitive dependency but each project containing a different versions of the dependency, WhiteSource will provide security results for only one of the dependency versions
For C# Projects: The intermediate output path (the default is "obj" folder) of a C# project must be located directly inside the project's folder
3. How are dependencies resolved using Advise for IDEs?
The way that Advise resolves dependencies is different than that of our other integrations. Advise does not make use of our Unified Agent scanner. Advise relies on the IDE or a local command to provide us with the open source bill of materials (BOM) for a project instead of Advise itself fetching the BOM. If a dependency is not picked up by the IDE/local command as part of the BOM, Advise will not include it in the scan
4. Why are Advise scans faster than Unified Agent scans?
The Advise scan is a simpler process than the Unified Agent scans. Advise obtains the list of dependencies through fetching the BOM for a selected project via the IDE API or via a local command. Advise then performs a single API call to the WhiteSource server, providing it a list of open source library coordinates and receiving back a list of all security vulnerabilities.
In contrast, the Unified Agent scan often runs package manager commands to install and scan the dependencies. The Unified Agent also scans source files and binaries. These results are then stored within your organization through updating your inventory and projects. This process is more complex, but more thorough, and allows you to view the results within the WhiteSource UI.
5. Where can I find the Advise logs after running a scan?
Eclipse: Go to Window > Show View > PDE Runtime > Error Log
IntelliJ Idea: Go to Help > Show Log in Explorer and review the logs located within that folder that correspond to the time when you ran the Advise scan
PyCharm: Go to Help > Show Log in Explorer and review the logs located within that folder that correspond to the time when you ran the Advise scan
Visual Studio: In the ‘Output’ pane select 'Show output from: > ‘WhiteSource Logs'
Visual Studio Code: In the ‘Output’ pane select ‘WhiteSource Debug’
WebStorm: Go to Help > Show Log in Explorer and review the logs located within that folder that correspond to the time when you ran the Advise scan